Does Offshoring Threaten Combat Software? 247
PreacherTom writes, "Pentagon officials report that 'maliciously placed code' could compromise the security of the Defense Department and, ultimately, hurt its ability to fight wars. The culprits: offshore programmers. While the Pentagon has stepped up its vendor screening and software testing of late, it's becoming more difficult and costly to test every line of software code on increasingly sophisticated weapons systems. The task force assigned to this issue will be soon presenting its report, and most likely will determine that offshoring presents too great a risk."
Hysterical rubbish (Score:2, Funny)
Yours - Cylon number 6
Re: (Score:2)
Re: (Score:3, Informative)
At one time, the US had a "War Department" and a "Secretary of War". Sometime in history, we changed the name to "Department of Defense" and "Secretary of Defense". This happened about the time we stopped using the army for actual defense of the country and instead started using it to bully the rest of the world.
Re: (Score:2, Insightful)
Let's see now, who have we directly bullied since the War Department became the DoD?
North Korea - fuzzy, cuddly little things they are, what with the gulags, starvation, totalitarianism, etc.
North Vietnam - stict followers of peace and non-aggression, them. Never hurt a flea.
Grenada - after cuddly little Cubans took over the island nation by force and
Re: (Score:2)
Grenada - poltical turmoil. Reagan needed a quick victory to cover his ass after getting over 300 marines killed in Lebanon.
Iraq II - Bush lies about terrorist links and WMD's to bolster up his flagging machismo. Invades, makes a mess of things and destailizes the region. On th
Re: (Score:2)
Saddam was our ally during the cold war. He had WMD because we supplied them.
Afghanistan - Wonderfully cordial and free thinking taliban, harboring terrorists and disallowing sports, music, games, education for women, etc. Bullies we were!!!
We supplied weapons to the Taliban during their long fight against Soviet occupation. The cold war took preceden
Re: (Score:2)
I remember comic genius Bill Hicks talking about this, he compared it to Jack Palance throwing the gun down at some guy's feet in some movie (you can see how well I remember, obviously) and saying "Pick it up" (jack palance face here) "No Mister, I don't want no troubl
Re: (Score:2)
Wow. This is a fairly clever troll. Just enough to seem like you're actually involved in the discussion, but in fact you're just baiting readers into some unrelated anti-American rant. Clever!
That's what, 75% of your points? To every single one of them I say: SO WHAT?
They ar
Re: (Score:2)
Re: (Score:2)
You're also a hopelessly twisted moonbat with a phase inverted worldview.
Thanks, I'll take that as a compliment coming from you.
Re: (Score:3, Insightful)
Where do you come up with this garbage? After all the wars listed by GP, we have yet to fill up a single mass grave of civilians. We have, however, found many filled by the country's previous asshole leaders. No one seems to give a shit about that!
So, to edit your statement to make it true:
So if a country's leaders are assholes, then the US has the duty to prevent the butcher its people????
Re: (Score:2)
After all the wars listed by GP, we have yet to fill up a single mass grave of civilians.
One mass grave, thousands of smaller graves - do the dead care?
Re: (Score:2, Insightful)
Re: (Score:2)
It's not a pleasant thing to think about and goes against everything we're generally told, but nonetheless it is true.
The only duty the people who are involved in deciding when and where to deploy asymmetrical warfare (or standard warfare
Re: (Score:2)
If you mean, bullying countries that are a direct threat to the world, then yes. The problem isn't that the U.S. is a bully..it's that no other country will step up to the plate.
If other countrie
Hanlon says ... (Score:2)
Never attribute to malice,
that which is easily explained by stupidity.
- Hanlon's Razor
Re: (Score:2)
Correct.
>
Ah, you missed it. Who misses out if software development goes offshore? American software development companies -- so they drum up some xenophobic sent
Re: (Score:2)
(Hint: the signature should be a dead giveaway.)
Re: (Score:2)
I am missing out.
No worries.
As a result, the Cylons found a remotely exploitable bug in the software; when the Cylons launched their surprise attack,
Re: (Score:2)
Re: (Score:3, Interesting)
Not too long ago, I had the chance to go to a contractor convention of one of our major clients. There, I had the chance to meet our chinese counterpart and even though he seemed very energetic and enthusiastic it was apparent he was far from being on the same level than most of the contractors over there.
Later on, I asked our client what was the deal with the chinese contractor. It turns out the client won a huge government contra
Re: (Score:2)
Re: (Score:2)
At least, not without paying a hefty fee for the privilege. Otherwise, it would be like Microsoft giving away free copies of Windows.
Re: (Score:2)
Not really. Consider the following highly unlikely scenario:
1) Give an enemy certain WMD blueprints [wikipedia.org]
2) Claim the enemy is hiding WMDs [wikipedia.org]
3) ???
4) Profit [wikipedia.org]
Examine the code for themselves (Score:2)
Some people never learn. [wikipedia.org]
Maybe they could just ask to see the source code and audit it themselves, or just use software with the source code available. Its not as though they need to write it themselves, just be able to examine the source code. If they don't want to, well, they get what they deserve.
Re: (Score:2)
That's par for the course for MS. Remember the expandable menus? Hope you didn't hover your mouse a moment too long before clicking -- you might have saved your document when you were looking for the page setup.
But then, I've seen it in open source too. Not monitoring the critical paths closely enough. Ha
Re: (Score:2)
Entering a zero into a field causes the ship's propulsion to die because some programmer, and all his reviewers, couldn't be bothered to check for zero in a division algorithm.
Well, that's probably because the programmer didn't write the division algorithm himself. I may be going out on a limb here, but I believe the programmer may have used a built-in operator from the programming language he was using, the operator being called "/".
But seriously, these sort of things happen. And in fact, at the time
Re: (Score:2)
Very funny, asshole. I was talking about the function that contained that "/". *That* function should have made sure all denominators would be non-zero. That part of the package is most certainly *not* experimental. On that task, basic programmi
Re: (Score:2)
I'm not sure what Microsoft had to do with bad data entry.
Re: (Score:2)
Well, really bad data entry validation. Which would be the fault of the author of the database front-end. Whether that was Microsoft or a U.S. Navy software development team is unknown based on that article.
Re: (Score:2)
Web Myth: WinNT caused Navy ship to fail (Score:2)
Re: (Score:2)
Yeah, because *every* OS out there fails to check for valid input, and in fact, *must* fail to check for valid input.
Re: (Score:2)
Yeah, because *every* OS out there fails to check for valid input, and in fact, *must* fail to check for valid input.
Um, Operating Systems don't do that kind of input validation. They can't. Believe it or not, some programs actually use zeroes - and they have to mingle peacably on the same OS with programs that don't allow zeroes.
The OS has no way of knowing what input is valid for each program - only the program knows that. It's the job of the program's creator to check for bad input - like division b
Re: (Score:2)
Re: (Score:2)
You are still erring. The OS does not control vital systems or manual overrides. That what applications do. Furthermore you seem to have missed the detail that this was a test platform running without safeguards to see what would go wrong.
What the software developer said:
"McKelvey adds that the crash would not have happened if the navy had
Re: (Score:2)
Well, that's an odd way of putting it, but yes, exactly. The OS can't possibly check for valid input. The problem reported was not a Windows-specific problem any more than it was a steel-hulled-ship-specific problem.
Re: (Score:2)
Not good enough. See Ken Thompson's argument [acm.org] that any code that you cannot contol with 100% certainty cannot be trusted. Even if the source is clean, the compiler, JVM or the like may insert malicious code that cannot be detected
Re: (Score:2)
Re: (Score:2)
Appeals to emotion for fun and profit (Score:4, Insightful)
Blaming "offshoring" is a neat wave of the bloody shirt, but I don't think it's relevant to the problem. Take the word "offshoring" out of that quote, and replace it with "outsourcing." Does it still make sense? Let's see:
"Pentagon officials report that 'maliciously placed code' could compromise the security of the Defense Department and, ultimately, hurt its ability to fight wars. The culprits: offshore programmers. While the Pentagon has stepped up its vendor screening and software testing of late, it's becoming more difficult and costly to test every line of software code on increasingly sophisticated weapons systems. The task force assigned to this issue will be soon presenting its report, and most likely will determine that outsourcing presents too great a risk."
Looks like it does.
If the problem is that there aren't enough resources (including time) to do a sufficiently thorough audit of all the code, then it doesn't matter where the code was written, does it? Do we really suppose that a malicious actor would have that much harder a time getting a job for a DoD contractor in the US than overseas? Do we really suppose that it would be that much more difficult to suborn a programmer overseas than here?
Or, more accurately, is it enough more difficult in either case for us to be confident of code written inside the country as opposed to outside?
It's not that I do think that offshored code is trustworthy, it's that I don't think "onshored" code is. And if we can't trust either, what does offshoring have to do with anything?
Re: (Score:2)
Re: (Score:3, Interesting)
Yes and yes (good word, by the way, had to look up "suborn"). We may not have the man power here to conduct a thorough, line by line audit, but we do have legions of background investigators. And, it's currently illegal for a non-US citizen to hold a security cle
Re: (Score:2)
So Canadians, French, Japanese, are "foxes", and americans are all "hens"? I don't get the analogy here.
And they prevent employees from writing crapp code, how?
Re: (Score:2)
The discussion isn't about preventing crap code, actually (at least from what I've read today). It's about keeping the code secure from outside espionage, malicious entries by foreign entities, and the like. To prevent authoring of bad code, you'll have to stop writing code altogether. For every good programmer, there's probably 10 to 15 average ones, and for every average coder, there's probably 25 - 30 crappy ones. You really can't prevent thi
Re: (Score:2)
No, no, you don't understand. See, the word is divided into the 300 million people who live inside our borders and the 6 billion outside. Every single one of the 300 million insiders is a patriotic hard working american who could never write any insecure code, intentionally or not; only the outsiders are suspect. Any rare exceptions to this rule are therefore c
Re: (Score:3, Interesting)
Click here [ranum.com] for a fascinating article describing how the CIA and FBI managed to sell to the Soviets some chips with bungled operations "hidden" in the chips, to be used for their shiny, new Trans-Siberian natural gas pipeline. The result was the largest non-nuclear explosion ever seen from space.
What goes around, comes around, and the government is get
Re: (Score:2)
I guess you don't, but yes, I suppose so.
Not that I care all that much either way.
Re: Background checks... was Appeals to emotion (Score:2, Interesting)
Re: (Score:2)
The problem is that a large portion of the software the DoD uses is commercial off-the-shelf stuff. Those usually aren't written by contractors who've been investigated or cleared. So even if DoD banned use offshore-produced software, a foreign entity might not have that hard of a time infiltrating some US software company. It wouldn't take many such saboteurs if they were placed in the right co
Risk management (Score:2)
But there are levels of probabilty of this occuring. It's much less probably that a small group of well-screen on-shore programmers wil lintroduce issues than a facility in another country where the governemtn has no control or visibility into hiring, or systems deployment, or even tunnels under a building for that matter!
Not using offs
Re: (Score:2)
That's the question. Like I said, offshored code is less trustworthy. I don't believe, however, that locally sourced code is more trustworthy enough to not need review.
And if the review process is the problem, as the article says, than it doesn't matter where the code comes from.
Re: (Score:2)
You are confusing the issues. First, the finished code must be thrustworthy. This is done by having skilled programmers, skilled managers, using the right tools, the right development methods, as well as the right testing methods. And of course you also need to be able to trust those programmers, so they don't put in backdoors, deliberate bugs, etc. Although the risk is probably pretty low.
Secondly, you need everyone involved in the project to be thrustworthy. Having the best team in the world develop the
Re: (Score:2)
Is it safer to hire
* a citizen with security clearance to do the coding?
* a citizen of a country we are friendly with?
* a citizen of a country we are neutral with?
* a citizen of a country we are hostile but not at war with?
* a citizen of a country we are currently at war with to do the coding?
Now keep in mind, that even if we are not in an open bullets flying war with China, they are still basically at economic war with us and very hostile. And that lots of peop
Re: (Score:2)
Re: (Score:2)
Should the Department of Defence in every Non-American country in the world develop their own operating system rather than use Windows or Unix because those systems are (mostly) developed in the USA?
The answer is probably not
The fact is that in the modern world Corporations have no interest in Nationality and are (excusively) profit motivated. The US DoD pays really well compared to most other clients in the world and their main requirement is security. It really doesn't matter i
Re: (Score:2)
Buying software from US firms with programmers living in the US is no guarantee that, when a problem occurs, the programmer will still be in the US. Particularly if the programmer was planting malicious software on behalf of a foreign power, where it is quite likely they will seek to not be in the country by the time the sabotage becomes evident.
So unless you propo
Yeah, just think... (Score:3, Funny)
...what if they'd offshored WOPR?
"How about a nice game of Chinese Checkers?"
Re: (Score:2)
what costs to cut? (Score:2)
New tag: "noshit" (Score:3, Insightful)
I'm not sure of the exact law, but I believe there is one which basically says, all U.S. defense procurement must come from domestic sources, unless it's some exceptional item that can only be purchased abroad. Maybe we need a law like that for government contracting and outsourcing. Unless there's a demonstratable reason for having to do it offshore, it shouldn't be.
Re: (Score:2)
New Tag: "fullofshit" (Score:2)
Why on earth would anybody (except the lucky government contractors) need that? And if there were something good about this idea, why wouldn't it be even better to ban all foreign spending by all private entities? There is nothing about a "tax dollar" that makes it different from any other dollar once it is spent.
No, there may be some security reasons for restricting military spending, but the economic interests of America and American
Re: (Score:2)
Re: (Score:2)
No, that's a myth as well. How many "$600 toilet seats" do you think it would take to fund the development of something like the B-2 bomber? Black projects are funded right out in the open, with line items reading "Project CODENAME ---- $47 million" and no details. They don't have to hide the
Re: (Score:2)
http://www.govexec.com/dailyfed/1298/120798t1.htm [govexec.com]
Other security risks (Score:2)
Fortunately... (Score:2)
they had me right up to... (Score:2)
It's not clear to me what software the Government is outsourcing or has outsourced or is considering. But it does seem they have at least dabbled in weapons systems and other software related to warfare being offshored. I can think of reasons this isn't a good idea...
Inconsistency (Score:5, Interesting)
And this software which we are not allowed to review may have been written by offshore programmers who will know perfectly well that they are doing the job because they are cheaper, and have absolutely no patriotic investment in the US?
I wonder how many other global empires have been brought down by the desire to make a quick buck?
Re: (Score:2)
I can't speak for other projects, but the UK government is definitely allowed to review the software my department writes for military equipment they purchase, and you may rest assured that they do a thorough job of it.
If there are any projects that don't permit code review, it is because the UK government didn't insist on it in the contract. The U.S. government doesn't rely on security by obs
Re: (Score:2)
Its people within the global empire trying to make a quick buck at the cost of the empire (Weapons and aerospace companies).
Bibliography:
Roman Empire
Mongol Empire
USSR
And your point is? (Score:2)
Also, when I last checked, t
Don't Worry, Be Happy (Score:2)
yeah sure buddy SAM (Score:2)
Simply put, don't use offshore devs --- its all in the contracts. you know the ones that result in tolit seats costing thousands of dollars....
If defence programming is going to be open to companies anywhere in the world, then what exactly are you defening against?
Re: (Score:2)
Naysayers don't point out that the $15 million system was delivered for $15 million.
They don't point out that the "screw" was "99.1% titanium with
They don't point out that the 2 million dollar wing was sold for 1.6 million (tho the $15 million plane was still $15 million).
Huge abuses exist- but some of them are not as bad as the news media makes them out to be.
Already affecting the military (Score:5, Interesting)
Re: (Score:2)
It's a conspiracy to sap and impurify all of our precious bodily fluids [imdb.com]!
Well Duh! (Score:2)
Re: (Score:2)
True, but homegrown coders can be held accountable. Try convincing the indian government to hand over one of its citizens so we can prosecute him for espionage.
Globalization is a double edged sword (Score:2)
While we have our own home grown terrorists (Timothy McVeigh, Richard Reid, Ted Kaczynski et al), the condition of human rights and economic development in low wage, low cost countries poses a particular security concern, not only for military contracting but for commercial espionage. I'm not concerned ab
Offshoring firmware is even worse (Score:2)
Here's what scares me: The Intelligent Platform Management Interface [intel.com] (IPMI) and the Remote Management and Control Protocol. [microsoft.com] (RMCP). Many machines in the field implement these protocols in the network controller, independent of the operating system.
These are UDP-based protocols, on port 623. They can be sent from anywhere on the Internet; not just local machines. They provide total power over the target computer. Functions include:
I really hope... (Score:2)
Let's see the issues here.
- The government took jobs away from Americans to try and save money.
Then, since they didn't think it through,
- The government failed to adequately protect its people by allowing foreigners, possibly enemies, to write code
Really?? (Score:2)
A friend of mine and I have both been wondering when the US policy on off-shoring would change. My constant source of confusion is h
All Your Base ... (Score:2)
Duh (Score:2)
One has bigger problems than malicious people planting trojans if they can't audit every line of their "mission critical" software OR hardware.
Would you trust your respirator and other hospital life support system to unaudited code whether or not it has been written by malicious people ? If not, then why should anyone trust his defense system ?
I remember there was a story long back about "intelligent guns" that identify their owners. No one thought it'd
it's not about the money... (Score:2)
Further proof the US government is full of morons (Score:2)
Proof that BusinessWeak is staffed by dumbos (Score:2)
I've worked in the defense industry. Yes, the idea is idiocy. That's why all software actually used in military systems is written by citizens with security clearences. I have no idea what this article is talking about, or their supposed Pentagon sources.
I once couldn't bring a prototype device into a classified area until we replaced a software driver made in England. And trying to use IP cores for FPGAs from overseas? One giant headache.
And I advise against using a blurb in BusinessWeek as "proof" of
Re: (Score:2)
So what they are saying... (Score:2)
I don't give a shit, personally (Score:2)
Stupidity ? Probably yes. (Score:2)
really? (Score:2)
Testing *reduces* cost, silly... (Score:2)
it's becoming more difficult and costly to test every line of software code
What do you mean, "more difficult and costly to test every line?" Every line, or close to every line, darned well ought to have test coverage before you commit it to your source code repository, let alone delivering it to the customer. And properly factored and coded classes and modules should be testable in isolation. If the cost of testing -- and, presumably, the cost of change -- is increasing drastically as the system size
WHooda thunk it?? (Score:2)
More lines of code should fall under scrutiny. But, I am sure some enterprising devs will find a way to improve the automated scanning and maybe even run the stuff in infinite-scenario virtual machines to look for signal injection hijacking and other techniques. But, war is not only suppose to be costly, it should be so frightening that most sane people will refuse to
Uh-huh (Score:2)
This includes not just software for computers and networks but, in some cases, programs for military aircraft, missile guidance, and battlefield management systems.
Okay, I can believe that "battlefield management systems" could have some commercial junk that came from somewhere, but otherwise I find large parts of this less than convincing.
About the missile guidance part I say: bullshit. Hell, for a lot of missiles, particularly older ones, the processor
Careful about policy changes (Score:2)
That will mean no Windows. But it will also mean no BSD, no Linux and I would doubt QNX or vxworks etc.
To have EVERYTHING audited down to the programmers' parents, you'd have to do it in the US and pay for it all from scratch. That means a new highly proprietary software that costs a heck lot and comes with more bugs than Wince.
Ideally they should choose the most audited and high quality OS (regardless of who developed it), and build proprietary and secre
It's way beyond software. (Score:2)
When all the hubbub was going on about Dubai buying US ports. Our government sold them 7 military plants on US soil.
Then there are all our politicians, who it is so very difficult to tell if they are incompetent or working for some other foreign power to weaken the United States. Since it is so hard to tell, I have to ask; "what would be the difference?"
I don't think the world works the way we think it does, with pitched armies, and Communists plotting against Capitalists. I think it's just v
Re: (Score:3, Insightful)
The DOD didn't do it themselves... they outsourced it to contractor 1 who outsourced part 1A and 3B to contractor 2 who outsourced it offshore.